Changing A Remote Gateway IP

(2013-12-05)

Problem

You have an ASA running 8.2(something). You have a l2l VPN with a remote peer. That remote peer is changing its IP address.

Solution

Here's what I did:

• create a new name object for the new peer IP
• create a new tunnel-group definition with the new IP, duplicating the information in the definition for the old IP
• at switchover time, change the crypto map $MAP $NUMBER peer statement to the new peer object name

And then it didn't work. Digging around a lot in the logging eventually yielded IKE Peer address not configured for destination 0.0.0.0 , and digging around on that eventually yielded:

This message appears when the IKE peer address is not configured for a L2L tunnel. This error can be resolved by changing the sequence number of crypto map, then removing and reapplying the crypto map.

What that meant for me in practice was:

conf t
no crypto map outside_map 1 match address outside_1_cryptomap
no crypto map outside_map 1 set peer REMOTEPEER
no crypto map outside_map 1 set transform-set ESP-3DES-SHA
no crypto map outside_map interface outside
exit
conf t
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer REMOTEPEER
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
exit

...ie literally removing the crypto map and re-applying it. After that, the site-to-site came up properly.